To avoid getting your account illegally accessed, avoid the Facebook and Twitter apps for Android when on an open Wi-Fi connection. Simply use your browser of choice and navigate to the https version of these pages. Kill the Calendar app while you're at it, to avoid it being accessed.

Authentication schemes have often been adopted
by widely used websites out of convenience, but they've also become a growing
source of serious security risks in recent history. In an open Wi-Fi
network a stranger, with the proper tools, can seeeverything including your authentication token. With that token they
can access your Facebook or Twitter account, with little skill involved.

Such issues were long thought to be constrained to
the PC, with programs like Firesheep making exploitation a cakewalk for novice
hackers. However, a weak authentication API (application protocol
interface) has landedGoogle's
Android OSas the latest victim of exploits.

Like PCs, Google's API requests a token by sending
a password and user name encrypted via a clear http connection. Since
http is used, the response token is broadcast in plaintext over your network
connection. That means that one a public networkeveryone can
see it.

The exploit wasjust
discovered[press
release] this week by Bastian Könings, Jens Nickels, and Florian Schaub, a
trio of German researchers at theUniversity
of Ulm. They conducted a proof of concept attack, using Wireshark to
sniff the packets containing the authentication token from certain Android
apps. They found that any Android version prior to 2.3.4 (the most recent
version of Android "Gingerbread") was susceptible.

The exploit affects all first and third party apps
that make use of the ClientLogin API. Apps that use this API for
authentication include Facebook, Twitter, and Google's own Calendar app.

It is unknown whether iOS's
authentication-dependent APIs are completely secure or whether one or more of
them might have similar issues. But pro-Apple commentators were quick to
gloat about this apparent security embarrassment for Android. Daring
Fireball blogger John Gruber takes the opportunity to take a jab
at thelaggard
pace of updatesfrom Android hardware makers and phone carrier,writing:

I’m sure most Android handsets will be updated
to version 2.3.4 or later very soon, so no worries.

While the exploit is indeed troublesome, there's
still plenty that Android users who don't have the update can do to protect
themselves. First and foremost they can avoid open Wi-Fi networks.

If that's not an option, users can still safeguard
themselves with a bit of work.

Android users can simply access Facebook and
Twitter via the https versions of the pages in the browser, instead of using
the commonly used Android apps. There shouldn’t be any authentication
issues if that approach is taken.

The calendar is a bit more problematic as there's
no way to safeguard it. Android users' best bet is to kill your calendar
app when they're on an open connection.

Again these steps areonly
necessary if you are on an open Wi-Fi connection.

The good news is that Google appears to be moving
to fix this issue sooner or later. It already has enforced mandatory use
of https (which does not reveal the authtoken in plain text) in its Google Docs
API, and this change is expected to spread to the rest of the authentication-dependent
APIs briefly. Given the press coverage this hack is getting, we're
guessing that will pushed out as a patch sooner, rather than later.

Until that patch arrives, follow the above
described precautions whenever you're on an open network.

Last fall the iOS was shown to have a bug thatgave
unauthorized users full access to the phone appvia a
trick on the unlock screen. While dangerous, that exploit was a bit
different -- it required physical access. By contrast this exploit
doesn't even require a hacker to touch your Android handset.

"I mean, if you wanna break down someone's door, why don't you start with AT&T, for God sakes? They make your amazing phone unusable as a phone!" -- Jon Stewart on Apple and the iPhone